threading: Fix copy_lpf_progress initialization

The copy_lpf_progress bitfield might not be fully cleared when size goes down. Credit to Oss-Fuzz.
author: Victorien Le Couviour--Tuffet <victorien@videolan.org> 2022-08-30 18:21:54 +0300
committer: Victorien Le Couviour--Tuffet <victorien@videolan.org> 2022-08-30 18:31:28 +0300
commit: a3a55b18494f5dd1e34f289298f78ffa4f32a25d (patch)
tree: 56eb5e881bcaa35aa15a530b978ca7f4d4ff9b18
parent: cd5e415270285a58f48c1e9ec1a2dd024b9acf9f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/thread_task.c b/src/thread_task.c
index 53aa41e..655956c 100644
--- a/src/thread_task.c
+++ b/src/thread_task.c
@@ -192,13 +192,14 @@ static int create_filter_sbrow(Dav1dFrameContext *const f,
         const int prog_sz = ((f->sbh + 31) & ~31) >> 5;
         if (prog_sz > f->frame_thread.prog_sz) {
             atomic_uint *const prog = realloc(f->frame_thread.frame_progress,
-                                              prog_sz * 2 * sizeof(*prog));
+                                              2 * prog_sz * sizeof(*prog));
             if (!prog) return -1;
             f->frame_thread.frame_progress = prog;
             f->frame_thread.copy_lpf_progress = prog + prog_sz;
             f->frame_thread.prog_sz = prog_sz;
         }
-        memset(f->frame_thread.frame_progress, 0, prog_sz * 2 * sizeof(atomic_uint));
+        memset(f->frame_thread.frame_progress, 0, prog_sz * sizeof(atomic_uint));
+        memset(f->frame_thread.copy_lpf_progress, 0, prog_sz * sizeof(atomic_uint));
         atomic_store(&f->frame_thread.deblock_progress, 0);
     }
     f->frame_thread.next_tile_row[pass & 1] = 0;
author	Victorien Le Couviour--Tuffet <victorien@videolan.org>	2022-08-30 18:21:54 +0300
committer	Victorien Le Couviour--Tuffet <victorien@videolan.org>	2022-08-30 18:31:28 +0300
commit	a3a55b18494f5dd1e34f289298f78ffa4f32a25d (patch)
tree	56eb5e881bcaa35aa15a530b978ca7f4d4ff9b18
parent	cd5e415270285a58f48c1e9ec1a2dd024b9acf9f (diff)